Apparatuses, methods, and systems for configuring a trusted java card virtual machine using biometric information

ABSTRACT

Apparatuses, methods, and systems are provided for securely configuring a Java Card virtual machine operating on a cellular device&#39;s application processor. In one embodiment, a connected device with an integrated cellular modem, a virtual universal integrated circuit chip and an integrated fingerprint scanner are used. In another embodiment, the cellular device&#39;s built-in camera is used, instead of an integrated fingerprint scanner, to capture the user&#39;s facial image.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application is a continuation-in-part of U.S. patent applicationSer. No. 15/838,611, filed Dec. 12, 2017, by Ismaila Wane, entitled,“APPARATUSES, METHODS AND SYSTEMS FOR CONFIGURING A TRUSTED JAVA CARDVIRTUAL MACHINE USING BIOMETRIC INFORMATION”, which is a continuation ofU.S. patent application Ser. No. 15/040,410, filed Feb. 10, 2016, byIsmaila Wane, entitled, “APPARATUSES, METHODS AND SYSTEMS FORCONFIGURING A TRUSTED JAVA CARD VIRTUAL MACHINE USING BIOMETRICINFORMATION”, which claims priority benefit of U.S. Provisional PatentApplication No. 62/162,740, filed May 16, 2015, by Ismaila Wane,entitled “METHOD FOR VIRTUALIZING A REPROGRAMMABLE UNIVERSAL INTEGRATEDCIRCUIT CHIP ON AN APPLICATION PROCESSOR”, and claims priority benefitof U.S. Provisional Patent Application No. 62/171,246, filed Jun. 5,2015, by Ismaila Wane, entitled, “METHOD FOR CONFIGURING A TRUSTED JAVACARD VIRTUAL MACHINE USING BIOMETRIC INFORMATION”;

This application is also a continuation-in-part of U.S. patentapplication Ser. No. 16/124,136, filed Sep. 6, 2018, by Ismaila Wane,entitled, “APPARATUSES, METHODS AND SYSTEMS FOR IMPLEMENTING A TRUSTEDSUBSCRIPTION MANAGEMENT PLATFORM”, which is a continuation-in-part ofU.S. patent application Ser. No. 15/838,611, filed Dec. 12, 2017, byIsmaila Wane, entitled, “APPARATUSES, METHODS AND SYSTEMS FORCONFIGURING A TRUSTED JAVA CARD VIRTUAL MACHINE USING BIOMETRICINFORMATION”, which is a continuation of U.S. patent application Ser.No. 15/040,410, filed Feb. 10, 2016, by Ismaila Wane, entitled,“APPARATUSES, METHODS AND SYSTEMS FOR CONFIGURING A TRUSTED JAVA CARDVIRTUAL MACHINE USING BIOMETRIC INFORMATION”, which claims prioritybenefit of U.S. Provisional Patent Application No. 62/162,740, filed May16, 2015, by Ismaila Wane, entitled “METHOD FOR VIRTUALIZING AREPROGRAMMABLE UNIVERSAL INTEGRATED CIRCUIT CHIP ON AN APPLICATIONPROCESSOR”, and claims priority benefit of U.S. Provisional PatentApplication No. 62/171,246, filed Jun. 5, 2015, by Ismaila Wane,entitled, “METHOD FOR CONFIGURING A TRUSTED JAVA CARD VIRTUAL MACHINEUSING BIOMETRIC INFORMATION”, and U.S. patent application Ser. No.16/124,136, filed Sep. 6, 2018, by Ismaila Wane, entitled, “APPARATUSES,METHODS AND SYSTEMS FOR IMPLEMENTING A TRUSTED SUBSCRIPTION MANAGEMENTPLATFORM” is a continuation-in-part of U.S. patent application Ser. No.14/856,991, filed Sep. 17, 2015, by Ismaila Wane, entitled “APPARATUSES,METHODS AND SYSTEMS FOR IMPLEMENTING A TRUSTED SUBSCRIPTION MANAGEMENTPLATFORM”, which claims priority benefit of U.S. Provisional PatentApplication No. 62/051,311, filed Sep. 17, 2014, by Ismaila Wane,entitled, “APPARATUS, METHODS AND SYSTEM FOR A TRUSTED SUBSCRIPTIONMANAGEMENT PLATFORM”, and claims priority benefit of U.S. ProvisionalPatent Application No. 62/078,006, filed Nov. 11, 2014, by Ismaila Wane,entitled, “METHODS FOR A SYSTEM-ON-CHIP WITH INTEGRATED REPROGRAMMABLECELLULAR NETWORK CONNECTIVITY”, and claims priority to U.S. ProvisionalPatent Application No. 62/162,740, filed May 16, 2015, by Ismaila Wane,entitled “METHOD FOR VIRTUALIZING A REPROGRAMMABLE UNIVERSAL INTEGRATEDCIRCUIT CHIP ON AN APPLICATION PROCESSOR”, and claims priority benefitof U.S. Provisional Patent Application No. 62/171,246, filed Jun. 5,2015, by Ismaila Wane, entitled, “METHOD FOR CONFIGURING A TRUSTED JAVACARD VIRTUAL MACHINE USING BIOMETRIC INFORMATION”.

The entire contents of each of the above applications are incorporatedherein by reference.

This application is also related to U.S. Provisional Patent ApplicationNo. 62/051,311, filed Sep. 17, 2014, and U.S. Provisional PatentApplication No. 62/078,006, filed Nov. 11, 2014.

The entire contents of each of the above applications are incorporatedherein by reference.

TECHNOLOGICAL FIELD

Example embodiments of the present invention relate generally to thefields of software security, virtualization, and telecommunications, andmore particularly, to the emulation in software of a reprogrammableuniversal integrated circuit chip.

BACKGROUND

According to the GSM Association (GSMA), there are over 5 billionsubscriber identity module (SIM) cards deployed in the world each year.In addition, there will be over 50 billion connected devices in theso-called Internet of Things (IoT) by 2020, according to variousindustry reports. Access to the Internet will be generally facilitatedvia cellular networks through physical SIM cards integrated into theseIoT devices.

OEMs that want to add connectivity functionality into devices willtherefore need to design applications that are aware of devicecapabilities to capture sensor data and communicate with a remote serverfor an application-specific task. Using conventional methods, this wouldrequire procuring and integrating physical SIM cards into the potentialbillions of devices manufactured. These physical SIM cards wouldgenerally require wireless modules that are integrated into the PrintedCircuit Boards (PCBs) of these devices. A wireless module and physicalSIM will increase the bill of materials (BoM) of such devices.Furthermore, an OEM manufacturer will need to find and select a mobilenetwork operator (MNO) that will provide coverage in the geographicareas that the connected devices will be deployed. The selection processmay depend on various parameters such as pricing, network quality,coverage, etc. However, as there are thousands of cellular networkoperators in the world with an average of 4 or more cellular networkoperator in many countries, the discovery and selection process becomesquickly very challenging for these OEMs and/or third party entitiesmanaging the access to connectivity for these devices. The third partyentities could be either enterprises or consumers who own theseconnected devices may be interchangeably referred to herein as theowners of the connected (or IoT) devices.

In view of the above issues, there is a clear friction in accessinglocal cellular networks faced by consumers and enterprises managingconnected devices in a global market where people and things arefundamentally mobile. Because access is predicated on the use of SIMcards, this friction is magnified by the current physical nature of SIMcards.

From the standard 2FF card (mini-SIM) to the 4FF card (nano-SIM), SIMcards have now evolved to the MFF2 form factor, which is mainly used inmachine-to-machine (M2M) applications. Introduction of the MFF2 formfactor and its subsequent smaller iterations into the Internet of Things(IoT) could radically alter the manufacturing and deployment of IoTdevices.

In December of 2013, the GSMA, which is the largest association ofmobile operators and related companies, essentially standardized howreprogrammable SIM cards are architected and remotely provisioned. As aresult of the standardization efforts, many new use cases will be soonpossible in an interoperable manner. These use cases include the abilityto seamlessly select and switch cellular networks without physicallychanging SIM cards.

Although the GSMA's specifications were developed primarily for M2Mdevices, nothing prevents those skilled in the art from using them forother types of connected devices as well. Doing so would thereforeremove the current friction of switching networks faced by people andthings in international roaming situations or in local geographic areaswith multiple cellular carriers. This provides people and devices withthe ability to dynamically change cellular networks to extract the bestvalue for mobile communication needs based on preferences for price,data speed, network quality, etc.

For local telecom regulators, virtual SIM card technology lowers thebarriers to switching networks and thereby fosters a healthy andcompetitive telecommunications landscape in which MNOs and MobileVirtual Network Operators (MVNOs) compete on price, service quality andinnovation.

For OEMs, virtual SIM card technology provides more space in the printedcircuit board assembly (PCBA) design, allowing the incorporation ofadditional sensors or other chip components and hence optimizes the PCBlayout. It also removes the complexity of dealing with various SIM cardvendors approved by MNOs in “kitting” environments.

MNOs stand to immensely benefit from virtual SIM card technology aswell. The technology may facilitate enhanced distribution because M(V)NOservice discovery, selection and provisioning could all take placeremotely over the “cloud.” Such a mobile application could then helpeffectively streamline the redundant Know Your Customer (KYC) procedurescurrently in effect in many countries. Moreover, for all M(V)NOs,regardless of market position, this technology can eliminate the costsof procuring, testing, certifying and distributing physical SIM cards byremoving the inherent logistical complexities associated with managingphysical SIM cards. This will enable MNOs to better focus capital spendand management attention on network capacity, coverage and otherdifferentiated services. Ultimately, this technology may reduce thecurrent cost of acquiring and retaining subscribers, potentiallyimproving thus the bottom line for M(V)NOs.

Finally, virtual SIM card technology may provide important environmentalbenefits by lowering the overall volume of manufactured SIM cardsglobally. It remains unclear if most of the billions of SIM cardsproduced each year are still not halogen-free as halogen is toxicallycorrosive, which therefore has the potential to damage people's healthand their environment.

BRIEF SUMMARY

Example embodiments described herein detail device configurations forfully emulating a reprogrammable embedded universal integrated circuitchip (eUICC) in a connected device's operating system that is running onthe connected device's application processor. More specifically, exampleembodiments illustrate on-die virtual (software) eUICCs running ondedicated application processors of a system-on-chip. In this regard,example embodiments may incorporate elements described previously inU.S. Non-Provisional patent application Ser. No. 14/856,974, filed Sep.17, 2015, and U.S. patent application Ser. No. 14/934,310, filed Nov. 6,2015. The entire contents of both of these applications are incorporatedherein.

In example embodiments that are implemented by a connected device (e.g.,a user device or an IoT device), an integrated cellular modem in theconnected device is configured to use a simple protocol to communicatewith a virtual eUICC. This protocol may be implemented in a way thatallows cellular modem vendors to rapidly and cost-effectively supportits functionality and which further may allow original equipmentmanufacturers to provide the functionality in connected devices alreadydeployed in the field via a simple over-the-air firmware upgrade.

In a first example embodiment, a mobile station is provided. The mobilestation includes a modem and at least one antenna configured tocommunicate in multi-active mode with a plurality of cellular networks.The mobile station further includes an application processor physicallyconnected to a baseband processor, wherein the physical connectionfacilitates secure transmission of commands to the application processorfrom a cellular modem application hosted by the baseband processor. Inaddition, the mobile station includes one or more memories storingcomputer-executable instructions that, when executed, configure a mobileapplication running on the application processor to, in response toreceipt of commands from the baseband processor, communicate with avirtual reprogrammable universal integrated circuit chip (eUICC) that isnot physically or electrically connected to the baseband processor.

In some embodiments, the virtual eUICC is stored within a trustedexecution environment (TEE) of the application processor. In some suchembodiments, the TEE provides access to the virtual eUICC using one ormore physically unclonable functions (PUFs). In this regard, at leastone of the PUFs may comprise a biometric signal source.

In some embodiments, the biometric signal source comprises a biometricinformation capturing element, wherein the user-provided biometricinformation is captured by the biometric information capturing element.In some such embodiments, the biometric information capturing elementcomprises a built-in fingerprint scanner or camera device.

In some embodiments, the computer-executable instructions, whenexecuted, further cause configuration of a virtual machine to host thevirtual eUICC. In some such embodiments, the computer-executableinstructions, when executed, cause configuration of the virtual machineby causing: initialization of a data storage module of the virtualmachine with the user-provided biometric information as a parameter tocreate encryption, decryption, and signature keys; loading of the datastorage module upon each device boot-up; encryption and decryption ofdata associated with the virtual machine using the encryption anddecryption keys; digital signing of data associated with the virtualmachine using the signature key; and storage of the digitally signeddata in a storage memory. In this regard, the digitally signed data maycomprise at least one of a GSM file system, one or more Java Cardapplications, or one or more network authentication keys, wherein thedigitally signed data is formatted into data blocks. In one embodiment,the storage memory maintains the data blocks in a journaling filesystem. Additionally or alternatively, digitally signing the datacomprises signing checksums or hashes of the data with the signaturekey. Moreover, digitally signing the data may include calculatingredundancy check values for the data, and signing the redundancy checkvalues with random keys.

In some embodiments, the virtual eUICC is hosted by a device that isremote from the mobile station.

In some embodiments, the baseband processor is programmed tonon-electrically attach to the virtual eUICC. In some such embodiments,non-electrical attachment may comprise a transmission to the applicationprocessor of a command initiated by the baseband processor. In thisregard, a radio interface layer of the application processor may beconfigured to interpret and forward the command to the virtual eUICC.

In some embodiments, the virtual eUICC is configured to receive indirectrequests from the baseband processor and generate responses to theindirect requests. In some such embodiments, the computer-executableinstructions configure the application processor to communicate with thevirtual eUICC via a radio interface layer of the application processorthat is configured to receive the generated responses to the indirectrequests and forward the generated responses to the baseband processor.

In another example embodiment, a method is provided for communicating inmulti-active mode with a plurality of cellular networks by a mobilestation comprising a modem and at least one antenna. The method includesproviding, in the mobile station, an application processor physicallyconnected to a baseband processor, wherein the physical connectionfacilitates secure transmission of commands to the application processorfrom a cellular modem application hosted by the baseband processor. Themethod further includes, in response to receipt of commands from thebaseband processor, communicating, by a mobile application running onthe application processor, with a virtual reprogrammable universalintegrated circuit chip (eUICC) that is not physically or electricallyconnected to the baseband processor.

In some embodiments, the virtual eUICC is stored within a trustedexecution environment (TEE) of the application processor. In some suchembodiments, the TEE provides access to the virtual eUICC using one ormore physically unclonable functions (PUFs). In this regard, at leastone of the PUFs may comprise a biometric signal source.

In some embodiments, the mobile device further includes a biometricinformation capturing element, and wherein the method includes capturingthe user-provided biometric information using the biometric informationcapturing element. In some such embodiments, the biometric informationcapturing element comprises a built-in fingerprint scanner or cameradevice.

In some embodiments, the method includes causing configuration of avirtual machine to host the virtual eUICC. In this regard, causingconfiguration of the virtual machine includes causing: initialization ofa data storage module of the virtual machine with the user-providedbiometric information as a parameter to create encryption, decryption,and signature keys; loading of the data storage module upon each deviceboot-up; encryption and decryption of data associated with the virtualmachine using the encryption and decryption keys; digital signing ofdata associated with the virtual machine using the signature key; andstorage of the digitally signed data in a storage memory. For instance,the digitally signed data may comprise at least one of a GSM filesystem, one or more Java Card applications, or one or more networkauthentication keys, and the digitally signed data may be formatted intodata blocks. Additionally or alternatively, the method may includemaintaining the data blocks in a journaling file system in the storagememory.

In some embodiments, digitally signing the data comprises signingchecksums or hashes of the data with the signature key. In someembodiments, wherein digitally signing the data comprises calculatingredundancy check values for the data, and signing the redundancy checkvalues with random keys.

In some embodiments, the virtual eUICC is hosted by a device that isremote from the mobile station.

In some embodiments, the method further includes non-electricallyattaching, by the baseband processor of the mobile station, to thevirtual eUICC. In some such embodiments, non-electrical attachment maycomprise a transmission to the application processor of a commandinitiated by the baseband processor. In this regard, the method mayfurther include interpreting, by a radio interface layer of theapplication processor, the command, and forwarding, by the radiointerface layer of the application processor, the command to the virtualeUICC.

In some embodiments, the virtual eUICC is configured to receive indirectrequests from the baseband processor and generate responses to theindirect requests. In some such embodiments, communicating, by theapplication processor, with the virtual eUICC includes receiving, by aradio interface layer of the application processor, the generatedresponses to the indirect requests, and forwarding, by the radiointerface layer of the application processor, the generated responses tothe baseband processor.

In yet another example embodiment, a mobile station is provided. Themobile station includes means for communicating in multi-active modewith a plurality of cellular networks, and an application processorphysically connected to a baseband processor, wherein the physicalconnection facilitates secure transmission of commands to theapplication processor from a cellular modem application hosted by thebaseband processor. The mobile station further includes means forcommunicating, by the application processor and in response to receiptof commands from the baseband processor, with a virtual reprogrammableuniversal integrated circuit chip (eUICC) that is not physically orelectrically connected to the baseband processor.

In some embodiments, the virtual eUICC is stored within a trustedexecution environment (TEE) of the application processor. In some suchembodiments, the TEE provides access to the virtual eUICC using one ormore physically unclonable functions (PUFs). In this regard, at leastone of the PUFs may comprise a biometric signal source.

In some embodiments, the biometric signal source comprises a biometricinformation capturing element, wherein the user-provided biometricinformation is captured by the biometric information capturing element.For instance, the biometric information capturing element may comprise abuilt-in fingerprint scanner or camera device.

In some embodiments, the mobile station includes means for causingconfiguration of a virtual machine to host the virtual eUICC. In thisregard, the means for causing configuration of the virtual machineincludes: means for causing initialization of a data storage module ofthe virtual machine with the user-provided biometric information as aparameter to create encryption, decryption, and signature keys; meansfor causing loading of the data storage module upon each device boot-up;means for causing encryption and decryption of data associated with thevirtual machine using the encryption and decryption keys; means forcausing digitally signing of data associated with the virtual machineusing the signature key; and means for causing storage of the digitallysigned data in a storage memory.

In some such embodiments, the digitally signed data comprises at leastone of a GSM file system, one or more Java Card applications, or one ormore network authentication keys, and the digitally signed data isformatted into data blocks. Additionally or alternatively, the storagememory maintains the data blocks in a journaling file system. Moreover,in some embodiments, digitally signing the data associated with thevirtual machine comprises signing checksums or hashes of the data withthe signature key. Additionally or alternatively, the means fordigitally signing the data associated with the virtual machine includesmeans for calculating redundancy check values for the data, and meansfor signing the redundancy check values with random keys.

In some embodiments, the virtual eUICC is hosted by a device that isremote from the mobile station.

In some embodiments, the mobile station further includes means fornon-electrically attaching the baseband processor to the virtual eUICC.In some such embodiments, non-electrical attachment may comprise atransmission to the application processor of a command initiated by thebaseband processor. In this regard, the application processor mayfurther include means for interpreting the command and means forforwarding the command to the virtual eUICC.

In some embodiments, the virtual eUICC is configured to receive indirectrequests from the baseband processor and generate responses to theindirect requests. In some such embodiments, the means forcommunicating, by the application processor, with the virtual eUICCincludes means for receiving the generated responses to the indirectrequests, and means for forwarding the generated responses to thebaseband processor.

In addition, it should be understood that embodiments described hereinmay utilize biometric information to securely configure a Java Cardvirtual machine operating in a mobile device's application.

While a Trusted Execution Environment (TEE) may in some situations beused to provide a secure container for a virtual eUICC, and whileTEE-enabled devices have been massively deployed in recent years, theyare still underused and fragmented from a developer's perspective.Furthermore, there are many instances where a TEE is not available foruse.

Example embodiments described herein provide configurations for securinga virtual eUICC running on an application processor in situations wherea trusted execution environment is not available. As disclosed ingreater detail below, example embodiments utilize biometric informationin conjunction with an encrypted file system to secure a virtual eUICCrunning on an application processor. Such embodiments employ theunclonable characteristics of biometric data (e.g., a fingerprint, afacial image, or the like). In some embodiments, such unclonablecharacteristics also utilize other sensor information, such asaccelerometer and/or gyroscope data while requiring the end-user toperform a set of movements known only to the end-user (e.g., shaking themobile device in a certain pattern).

In another example embodiment, a mobile station is provided. The mobilestation includes a modem and at least one antenna configured tocommunicate with a plurality of cellular networks. The mobile stationfurther includes one or more memories storing computer-executableinstructions that, when executed, configure a mobile application runningon a processor that facilitates communication between the modem and avirtual reprogrammable universal integrated circuit chip (eUICC) that isnot physically or electrically connected to the modem, wherein securityof the virtual eUICC is maintained using user-provided biometricinformation.

In some embodiments, the mobile station includes a biometric informationcapturing element, wherein the user-provided biometric information iscaptured by the biometric information capturing element. In some suchembodiments, the biometric information capturing element comprises abuilt-in fingerprint scanner or camera device.

In some embodiments, the computer-executable instructions, whenexecuted, further cause configuration of a virtual machine to host thevirtual eUICC. In some such embodiments, the computer-executableinstructions, when executed, cause configuration of the virtual machineby causing: initialization of a data storage module of the virtualmachine with the user-provided biometric information as a parameter tocreate encryption, decryption, and signature keys; loading of the datastorage module upon each device boot-up; encryption and decryption ofdata associated with the virtual machine using the encryption anddecryption keys; digital signing of data associated with the virtualmachine using the signature key; and storage of the digitally signeddata in a storage memory. In this regard, the digitally signed data maycomprise at least one of a GSM file system, one or more Java Cardapplications, or one or more network authentication keys, wherein thedigitally signed data is formatted into data blocks. In one embodiment,the storage memory maintains the data blocks in a journaling filesystem. Additionally or alternatively, digitally signing the datacomprises signing checksums or hashes of the data with the signaturekey. Moreover, digitally signing the data may include calculatingredundancy check values for the data, and signing the redundancy checkvalues with random keys.

In another example embodiment, a method is provided for communicatingwith a plurality of cellular networks. The method includes providing amobile device having a modem and at least one antenna configured tocommunicate with a plurality of cellular networks, and configuring amobile application running on a processor to facilitate communicationbetween the modem and a virtual reprogrammable universal integratedcircuit chip (eUICC) that is not physically or electrically connected tothe modem, wherein security of the virtual eUICC is maintained usinguser-provided biometric information.

In some embodiments, the mobile device further includes a biometricinformation capturing element, and wherein the method includes capturingthe user-provided biometric information using the biometric informationcapturing element. In some such embodiments, the biometric informationcapturing element comprises a built-in fingerprint scanner or cameradevice.

In some embodiments, the method includes causing configuration of avirtual machine to host the virtual eUICC. In this regard, causingconfiguration of the virtual machine includes causing: initialization ofa data storage module of the virtual machine with the user-providedbiometric information as a parameter to create encryption, decryption,and signature keys; loading of the data storage module upon each deviceboot-up; encryption and decryption of data associated with the virtualmachine using the encryption and decryption keys; digital signing ofdata associated with the virtual machine using the signature key; andstorage of the digitally signed data in a storage memory. For instance,the digitally signed data may comprise at least one of a GSM filesystem, one or more Java Card applications, or one or more networkauthentication keys, and the digitally signed data may be formatted intodata blocks. Additionally or alternatively, the method may includemaintaining the data blocks in a journaling file system in the storagememory.

In some embodiments, digitally signing the data comprises signingchecksums or hashes of the data with the signature key. In someembodiments, wherein digitally signing the data comprises calculatingredundancy check values for the data, and signing the redundancy checkvalues with random keys.

In yet another example embodiment, one or more non-transitorycomputer-readable media storing computer-executable instructions areprovided that, when executed by a mobile station having a modem and atleast one antenna configured to communicate with a plurality of cellularnetworks, cause the mobile station to configure a mobile applicationrunning on a processor to facilitate communication between the modem anda virtual reprogrammable universal integrated circuit chip (eUICC) thatis not physically or electrically connected to the modem, whereinsecurity of the virtual eUICC is maintained using user-providedbiometric information.

In some embodiments, the mobile station further includes a biometricinformation capturing element, and the user-provided biometricinformation is captured by the biometric information capturing element.In this regard, the biometric information capturing element comprises abuilt-in fingerprint scanner or camera device.

In some embodiments, the computer-executable instructions, when executedby the mobile station, further cause the mobile station to causeconfiguration of a virtual machine to host the virtual eUICC. In thisregard, the computer-executable instructions, when executed by themobile station, cause the mobile station to cause configuration of thevirtual machine by causing: initialization of a data storage module ofthe virtual machine with the user-provided biometric information as aparameter to create encryption, decryption, and signature keys; loadingof the data storage module upon each device boot-up; encryption anddecryption of data associated with the virtual machine using theencryption and decryption keys; digital signing of data associated withthe virtual machine using the signature key; and storage of thedigitally signed data in a storage memory. In this regard, the digitallysigned data may comprise at least one of a GSM file system, one or moreJava Card applications, or one or more network authentication keys, andthe digitally signed data may be formatted into data blocks.Additionally, the storage memory may maintain the data blocks in ajournaling file system.

In some embodiments, digitally signing the data comprises signingchecksums or hashes of the data with the signature key. In someembodiments, digitally signing the blocks comprises calculatingredundancy check values for the data, and signing the redundancy checkvalues with random keys.

The above summary is provided merely for purposes of summarizing someexample embodiments to provide a basic understanding of some aspects ofthe present invention(s). Accordingly, it will be appreciated that theabove-described embodiments are merely examples and should not beconstrued to narrow the scope or spirit of the invention in any way. Itwill be appreciated that the scope of the invention(s) encompasses manypotential embodiments in addition to those here summarized, some ofwhich will be further described below.

BRIEF DESCRIPTION OF THE DRAWINGS

Having thus described the example embodiments of the invention ingeneral terms, reference will now be made to the accompanying drawings,which are not necessarily drawn to scale, and wherein:

FIG. 1 provides a high-level system overview of an end-to-end virtualSIM platform, in accordance with example embodiments described herein;

FIG. 2 illustrates an overview of an example internal deviceconfiguration of a virtual eUICC, in accordance with example embodimentsdescribed herein;

FIG. 2A illustrates one use-case contemplated herein, in accordance withexample embodiments described herein;

FIG. 2B illustrates an additional system configuration, in which virtualeUICCs are hosted by a cloud provider, in accordance with exampleembodiments described herein;

FIG. 3 illustrates a high-level view of the virtual eUICC, in accordancewith example embodiments described herein;

FIG. 4 illustrates the internal software architecture of a virtualeUICC, in accordance with example embodiments described herein;

FIG. 5 illustrates a sequence diagram for a solicited command (e.g.DIAL), in accordance with example embodiments described herein;

FIG. 6 illustrates a sequence diagram for transmission of an unsolicitedcommand (e.g. RECEIVE CALL), in accordance with example embodimentsdescribed herein;

FIG. 7 illustrates an internal overview of the configuration of aconnected device using a virtual eUICC without a Trusted ExecutionEnvironment (TEE), in accordance with example embodiments describedherein;

FIG. 8 illustrates a high-level view of a virtual eUICC, in accordancewith example embodiments described herein;

FIG. 9 illustrates the internal software architecture of a virtualeUICC, in accordance with example embodiments described herein;

FIG. 10 illustrates the high-level overview of a Java Card VirtualMachine (JCVM) setup using biometric information provided by theend-user, in accordance with example embodiments described herein;

FIG. 11 illustrates a flowchart of a JCVM file system initialization, inaccordance with example embodiments described herein;

FIG. 12 illustrates an exemplary process flow for a JCVM during dataloading, in accordance with example embodiments described herein; and

FIG. 13 illustrates an exemplary process flow for a JCVM during dataupdate, in accordance with example embodiments described herein.

DETAILED DESCRIPTION

Some embodiments will now be described more fully hereinafter withreference to the accompanying drawings, in which some, but notnecessarily all contemplated embodiments are expressly illustrated.Indeed, the inventions contemplated herein may be embodied in manydifferent forms and should not be construed as limited to theembodiments set forth herein; rather, these embodiments are provided sothat this disclosure will satisfy applicable legal requirements. Likenumbers refer to like elements throughout.

As defined herein, a “computer-readable storage medium,” which refers toa non-transitory physical storage medium (e.g., volatile or non-volatilememory device), can be differentiated from a “computer-readabletransmission medium,” which refers to an electromagnetic signal.

It will be understood that each software operation described herein maybe implemented by various means, such as hardware, firmware, processor,circuitry, and/or other devices associated with execution of softwareincluding one or more computer program instructions. For example, one ormore of the procedures described herein may be embodied by computerprogram instructions. In this regard, the computer program instructionswhich embody the described procedures may be stored by a memory of anapparatus and executed by a processor of the apparatus. As will beappreciated, any such computer program instructions may be loaded onto acomputer or other programmable apparatus (e.g., hardware) to produce amachine, such that the resulting computer or other programmableapparatus implements the particular functions specified. These computerprogram instructions may also be stored in a computer-readable memory(e.g., a computer-readable storage medium) that may direct a computer orother programmable apparatus to operate in a particular manner, suchthat the instructions stored in the computer-readable memory produce anarticle of manufacture, the execution of which implements the specifiedfunctions. The computer program instructions may also be loaded onto acomputer or other programmable apparatus to cause a series of operationsto be performed on the computer or other programmable apparatus toproduce a computer-implemented process such that the computer programinstructions executed on the computer or other programmable apparatuscause the performance of operations for implementing the specifiedfunctions.

Turning first to FIG. 1, a high-level system overview of an end-to-endvirtual SIM platform is illustrated. As shown in FIG. 1, embodimentscontemplated herein enable a single device to connect to a plurality ofdifferent networks (e.g., Networks A through D) using a series ofvirtual SIM cards stored in an eUICC. In turn, a virtual SIM cardmanagement platform (referred to herein as an MNOHub server) facilitatesthe provisioning (e.g., purchase, activation, deactivation, anddeletion, or the like) of the virtual SIM cards. The virtual SIM cardmanagement platform further communicates with a variety of MNOs or MVNOsassociated with several of the networks available to the device and thatoffer the various virtual SIM cards for sale.

In U.S. Non-Provisional patent application Ser. No. 14/856,974, filedSep. 17, 2015, apparatuses, systems and a set of methods are describedthat enable the virtualization of physical SIM cards using a pluralityof concurrent eUICCs. Devices implementing such concepts may beconnected devices such as IoT devices, or in some embodiments mobilestations that may comprise cellular telephones or which may otherwise beoperated by users, as disclosed in U.S. Non-Provisional patentapplication Ser. No. 14/856,974, filed Sep. 17, 2015. These patentapplications describe example mobile stations or connected devices maycomprise a “SIM-less” System-on-Chip (S2oC) with integratedreprogrammable cellular network connectivity.

Example embodiments disclosed herein provide an extension of this S2oCarchitecture and comprise configurations for fully emulating an eUICC ina connected device's operating system running on the applicationprocessor. More specifically, some example embodiments include an on-dievirtual (i.e., software-based) eUICC running on a dedicated applicationprocessor of a system-on-chip.

Traditional architectures connect hardware-based eUICCs with a basebandprocessor (and not the application processor). In turn, virtualizedeUICCs might presumably be hosted by the baseband processor as well.However, baseband processors are not equipped with much memory, whichlimits the ability to store eUICCs thereon. Similarly, basebandprocessors traditionally provide a relatively small physical footprint,thus reducing the ability for modification or addition of newcomponents. Moreover, baseband processors must typically be certified bynational bodies (in the U.S., for instance, they are certified by thePTCRB). Finally, baseband processors typically have limited amounts ofrandom access memory, thus placing a ceiling on the performance ofbaseband processor operations. Accordingly, as described herein, severalexample embodiments store virtual eUICCs on the application processor.Because application processors have more random access memory, thischange can reduce virtual SIM provisioning time from the roughly 30seconds or 1 minute, as is typical in traditional physical eUICCprovisioning, to a matter of 1 or 2 seconds for a virtual eUICC hostedby the application processor. Some example architectures supporting theredesign of eUICC location are described herein. Perceived drawbacks ofhosting virtual eUICCs in an application processor (e.g., securityconcerns) are also addressed through heightened security functionality,as described below.

As shown in FIG. 2, in some example embodiments of a connected device,the Baseband Processor (BP) is connected to the Application Processor(AP) through a physical interface (e.g., a serial port, a dedicated bus,or the like). The BP might be connected to the physical eUICC through astandard driver developed by the cellular modem vendor. The AP may run arich UI OS (e.g., Android) including a mobile application dedicated tomanaging the virtual eUICC content. The AP may further include a TrustedExecution Environment (TEE), which allows the connected device tosecurely run trusted applications. These trusted applications may haveaccess to securitized data storage that would have normally beenavailable to other applications running in the AP. One of the trustedapplications may, in these embodiments, be described as the virtualeUICC, and a high-level logical view of one such virtual eUICC isprovided in FIG. 3. It should be understood that in some embodiments,there may exist a plurality of virtual eUICCs in the same connecteddevice. In embodiments with one or more virtual eUICC as illustratedherein, a routing mechanism, such as is disclosed above, may further bereused.

As shown in FIG. 2, element 202 may comprise a secure channel forcommunicating via a virtual eUICC driver protocol, element 204 maycomprise a secure channel for secure data storage access via a TEEInternal API, and element 206 may comprise a secure channel forpassword-based data storage via a standard File System (FS) API.Further, element 208 illustrates AP-BP communication, which may occurvia standard and/or proprietary AT commands (e.g., AT+CSIM, AT % VSIM,or the like) using a vendor radio interface layer (RIL). Finally,element 210 illustrates virtual eUICC access via a SIM Alliance API(e.g., SEEK).

In some embodiments, it may be the case that communication is possiblebetween the connected device and a separate connected device. Forinstance, when a user takes a smartphone into a vehicle, it may be thecase that the vehicle includes a cellular modem and an antenna and cancommunicate with the user's smartphone using, for instance, the remoteSim Access Profile (SAP) API. In such embodiments, the virtual eUICCconcept contemplated herein may still operate in the fashion as shownabove. This design is illustrated in FIG. 2A, in which the connecteddevice (e.g., the user's smartphone) is in communication with a separateconnected device (here, a vehicle) via element 212, which may utilizeBluetooth™ or another type of short-range communication technology.

Turning now to FIG. 4, example internal software architecture of avirtual eUICC is illustrated, in accordance with example embodimentsdescribed herein. As shown in FIG. 4, in some embodiments the virtualeUICC is based on an optimized implementation of the Java Card VirtualMachine (JCVM) specifications, and thus support the concept offirewalls. The virtual eUICC may include a Java Card Runtime Environment(JCRE) to run Java Card applications, commonly referred as applets. TheJCRE is the entry point for communicating with the virtual eUICC.

In some embodiments, the virtual eUICC includes an implementation ofGlobalPlatform card specifications, and in such embodiments theconnected device thus supports the concept of Security Domains thatessentially allows the secure sandboxing of a group of applets.

The virtual eUICC includes an implementation of the ETSI/3GPPspecifications that provide the necessary framework for running SIM,USIM, and ISIM applets and other Network Access Applications (NAAs) usedby network operators.

The virtual eUICC may further include a custom profile manager appletwhich leverages the Security Domain configuration to allow the eUICC tocontain multiple network operators' profiles at the same time, such asthe profile manager applet described in greater detail in U.S.Non-Provisional patent application Ser. No. 14/856,974, filed Sep. 17,2015.

The JCRE may be configured to provide an implementation of the virtualeUICC interface (e.g., S2OC_UICC_CONTROLLER.H). This interface is thencalled by the Radio Interface Layer (RIL) module of the connecteddevice. The RIL module is configured to support both physical andvirtual UICCs. The end-user of the connected device will have the optionto enable the eUICC through a rich OS UI (e.g., a Settings app).

Some example embodiments also enable the RIL to support a dual-SIM (or amulti-SIM) configuration provided that the cellular modem supports it.In fact, one embodiment contemplated herein may be applied to aretrofitted Dual SIM Dual Standby (DSDS) or Dual SIM Dual Active (DSDA)device whereby one SIM card slot is assigned to the virtual eUICC whilethe baseband processor's firmware is configured to take into accountsuch configuration.

As noted above, element 208 illustrates that the RIL communicates withthe cellular modem (i.e., the baseband processor) via AT commands (alsoreferred to as the Hayes command set). It is also noted that ahigh-level protocol abstracting AT commands can be used (e.g.,Qualcomm's MSM Interface (QMI), which is Qualcomm's proprietaryinterface for communicating with Qualcomm Mobile Station Modems).

AT commands have been used since 1981 and still consist of a series ofshort text strings which are combined together to produce completecommands for operations such as dialing, hanging up, and changing theparameters of a connection. However, many vendors have introducedadvanced proprietary features that extend basic AT commands.Implementing these proprietary features or any standard AT command inAndroid for instance, requires the OEM to provide an implementation ofthe Radio Interface Layer (RIL) interface (ril.h). To do this, an OEMwould provide a library (ril.so) specific to its cellular modem vendorthat implements such interface.

However, it has been observed that RIL integration is very complicatedand programmers historically have continued to utilize AT commands insource code, which produces inflexibility.

In this regard, such example embodiments may further use additional ATcommands to minimize the integration work a cellular modem applicationvendor. However, for this to work, the cellular modem application vendorneeds to develop a virtual driver that can communicate, using ATcommands, with the external virtual eUICC hosted on the applicationprocessor. An example of one such driver protocol includes commands suchas those illustrated in Table 1 below.

TABLE 1 Virtual eUICC Driver Protocol BP shall use unsolicited proactivecommands to communicate with AP via RIL module (over serial, USB, etc .. . ) It consists of at least 8 new non-standard AT commands used in thevirtual eUICC Driver: 1. %VSIMLIST Unsolicited Proactive Command to listall slots with virtual eUICCs; 2. AT%VSIMLIST =<slot 1>, <slot 2>, <slot3> . . . <slot n> 3. %VSIMRESET:<slot #>, Unsolicited Proactive Commandto resat the virtual eUICC and return ATR 4.AT%VSIMRESET=<length>,“<ATR>” AP resets virtual eUICC and returns ATR 5.%VSIMATR:<slot #> Unsolicited Proactive Command to return ATR 6.AT%VSIMATR=<length>,“<ATR>” AP returns ATR 7. %VSIMAPDU:<slot#>,<length>, “<C-APDU>” Unsolicited Proactive Command to forward C-APDUto virtual eUICC 8. AT%VSIMAPDU=<length>,“<R-APDU” AP returns R-APDUExamples: [SELECT DF GSM & GET RESPONSE] %VSIMAPDU:1, 14,“A0A40000027F20” AT%VSIMAPDU:1, 48,“000010247F20020000000000091100160800838A838A9000” [RUN GSM ALGORITHM &GET RESPONSE] %VSIMAPDU:1, 42,“A088000010FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF” AT%VSIMAPDU-28,“A5975E88E0940FC09AEFA0009000”

When the Cellular Modem application boots up, it is informed by the APthat a virtual eUICC is connected to the device. This notification couldbe performed, for instance, with a % VSIMLIST command. This commandappears to the Application Processor, and more specifically to the RILas an unsolicited command. The RIL maintains the list of virtual eUICCsslots available for the device. The RIL would return the list ofavailable virtual eUICCs.

The virtual eUICC is then detected by a Cellular Modem Application(which is also referred to as the trusted baseband client, although whenreferred to as a Cellular Modem Application, this element is explicitlydescribed as running on a dedicated baseband processor) by sending a %VSIMRESET to the RIL to “power up” the virtual eUICC and retrieve itspre-configured Answer to Reset (ATR) data.

When a cellular network requires authentication with the virtual eUICC,the Cellular Modem Application sends an unsolicited command to the RILwhich encapsulates a message to the virtual eUICC. For example, for a 2Gnetwork authentication, it could consist of explicitly selecting thededicated file for GSM (DF GSM) via % VSIMAPDU:1,14, “A0A40000027F20”and requesting to run standard the GSM algorithm % VSIMAPDU:1,42,“A08800001OFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF” The response to theseencapsulated commands is received through solicited commands to theCellular Modem application via AT % VSIMAPDU.

Turning now to FIG. 5, a sequence diagram is provided illustrating aseries of events for placing a phone call by the end-user using aspecific virtual eUICC. In operation 502, the end-user initiates a callwith a given virtual SIM card using a Dialer App. In operation 504, theRIL sends a solicited command to the Cellular Modem Application to dialthe given mobile number. In operation 506, the Cellular ModemApplication, which already has knowledge of the existence of the virtualeUICC, sends an unsolicited command to the RIL. In operation 508, theCellular Modem Application sends a command requesting the status of thevirtual SIM card (e.g., getSIMStatus( ), and in operation 510, thesolicited response indicates the status of the virtual SIM card (e.g.,SIM ready), and provides the International Mobile Subscriber Identity(IMSI) and Integrated Circuit Card ID (ICCID) associated with theidentified virtual SIM card. It should be understood that operations 508and 510 may be performed periodically (and thus may be performed priorto the call initiation process), after which the results may be cachedby the Cellular Modem Application for later use. Subsequently, inoperation 512, the Cellular Modem Application pings the correspondingnetwork using an IMSI associated with the identified virtual SIM card.In response, in operation 514, standard network authentication may occurbetween the virtual SIM card and the network. In operation 516, the usermay be notified of the status of the call, and finally, in operation518, the connection may be established.

As shown in FIG. 6, a sequence diagram is provided demonstrating aseries of events for receiving a phone call by the end-user through aspecific virtual eUICC. In operation 602, a network may ping theCellular Modem Application of a connected device. In operation 604, theCellular Modem Application sends a command requesting the status of thevirtual SIM card (e.g., get SIMStatus( )), and in operation 606, thesolicited response is returned indicating the status of the virtual SIMcard (e.g., SIM ready). In response, in operation 608, standard networkauthentication may occur between the virtual SIM card and the network.In operation 610, the Cellular Modem Application, may send anunsolicited command to the RIL. Subsequently, in operation 612, the RILmay return an unsolicited command. In operation 614, the user may benotified about the status of the call, and finally, in operation 616,the connection may be established.

It is already anticipated that security would be the reason manyopponents of the introduction of virtual eUICCs into the industry wouldreference as their main reason for objection. However, one can point outthat the financial industry is already allowing consumers to make verylarge financial transaction on mobile devices without the requirement ofa physical secure element. Furthermore, the TEE is rapidly appearing tobecome a secure foundational block which could be leveraged by a virtualeUICC. In some example embodiments contemplated herein, the use ofphysically unclonable functions (PUFs) adds another layer of security tothe pre-existing TEE container specifically for a virtual eUICC. Anexample PUF may use noisy signal sources such as biometric data. Forinstance, on an iPhone, this might include using the fingerprint scannerto create the virtual eUICC. The end-user could download a new iOSfirmware upgrade which includes an updated Cellular Modem Applicationand a dedicated mobile application. Upon completion of the registrationprocess by the end-user, the mobile application could trigger launchingof the fingerprint scanner screen that may be used by an end-user. Afterthe biometric matching process, the virtual eUICC is activated and will,throughout its lifespan, only be usable by this particular end-user. Theuse of biometric information to enhance security is described in greaterdetail below.

The Cellular Modem Application may further have a PGP-like key loadedinto it upon a firmware upgrade or first installation. The virtual eUICCmay also be initialized with its own PGP-like key. The Cellular Modem'sPGP-like key can be used by the virtual eUICC to transmit data to theCellular Modem Processor. Similarly, the virtual eUICC's PGP-like keycan be used by the Application Processor to send data to it. The virtualeUICC library can be a trusted application that is either preloaded orinstalled remotely into the TEE. To add a layer of pseudo-tamperresistance, the virtual eUICC software may also be signed with themanaging entity's private certificate. The managing entity (e.g., a MNOhub server) may then be required to activate the virtual eUICC before itcan be used. It could also perform an integrity check at a newmanagement operation (e.g. installing a new digital SIM). The activationmechanism of the virtual eUICC is based on a mutual-authenticationsession between the JCRE and the managing entity's servers. To preventcloning, the entity managing the virtual eUICCs retrieves the IMEI ofthe host device in advance and stores it in its databases of virtualeUICCs hosts. The managing entity then generates a random virtual eUICCID (EID) and links it to the said IMEI. The serial number of thecellular modem is also retrieved. These parameters are fed into the JCREat first boot-up and activation.

In this fashion, example embodiments provide a mechanism forvirtualizing an eUICC running on an application processor and accessedby the baseband processor indirectly. It is noted that suchconfiguration could be further extended whereby the virtual eUICC isrunning in the cloud, as shown in FIG. 2B. Specifically, as opposed tothe arrangement described in FIG. 2, use of a TEE and FS are notnecessary in a cloud embodiment of this nature, because the applicationprocessor itself does not host the virtual eUICC(s). Moreover, in acloud embodiment, the remote eUICC host may utilize a secured datacenter to store information regarding the virtual eUICC(s), such as byusing a Hardware Security Module (HSM) or other heightened securitysystem. Accordingly, rather than utilizing an internal secure channel202 to communicate with the virtual eUICC, the application processor mayutilize channel 214 to communication with the external cloud host usinga virtual eUICC driver protocol. In such embodiments, if a cloud-basedvirtual eUICC is not associated with a bootstrap profile, then thiscommunication may be facilitated by establishment of a Wi-Fi connectionenabling communication with the remote cloud to perform the Sanity Checkand retrieve the relevant IMSI. If there is a bootstrap profileassociated with the cloud-based virtual eUICC, then the Vendor RIL cancause communication directly with the cloud host via the bootstrapprofile to perform the Sanity Check and retrieve the relevant IMSI.Implementation of a cloud-based virtual eUICC embodiment carries anumber of benefits by reduction of the burden on the applicationprocessor. Moreover, the security of the cloud host could be much morerobust than the security of the connected device itself, thus furtherreducing the remaining risk that a malicious party could tamper witheUICC-related information. In yet another embodiment, there may be localvirtual eUICC(s) as well as remotely hosted virtual eUICC(s).

As noted briefly above, biometric information may be utilized to providean additional or alternative layer of security to the TEE (orcloud-based) security concepts described above. For instance, in someexample embodiments described can utilize biometric information tosecure a virtual eUICC running on an application processor iscontemplated for situations where a trusted execution environment (TEE)is not available, as illustrated in the design configuration shown inFIG. 7. It will be understood, however, that similar mechanisms can beused to further enhance the security of a mobile device that alreadyutilizes a TEE. In a similar fashion, the use of biometric informationcan enhance the security of mobile devices that access an externalvirtual eUICC host (e.g., a cloud host). In each of these examplescenarios, example embodiments may utilize biometric information inconjunction with an encrypted file system to secure the virtual eUICC.Such embodiments can thus protect the integrity of an eUICC by relyingon the unclonable characteristics of biometric data (e.g., afingerprint, facial image, or the like). In some embodiments, suchunclonable characteristics may also utilize other sensor informationsuch as accelerometer and/or gyroscope data while requiring the end-userto perform a set of movements known only to the end-user (e.g., shakingthe mobile device in a certain pattern).

In this regard, there are numerous types of biometric data sources. Insome embodiments, biometric data may be retrieved from a built-infingerprint scanner. In other embodiments, biometric data may beretrieved from a built-in camera for facial image recognition. Thoseskilled in the art can appreciate how additional types of biometricinformation may be retrieved from an end-user using that end-user'smobile terminal.

In embodiments where an end-user's mobile device hosts a virtual eUICC,the end-user can enable use of biometric security by downloading, intothe end-user's mobile terminal, a firmware update which includes anupdated Cellular Modem Application and a dedicated mobile applicationand its associated virtual eUICC. During the registration process(enrollment) by the end-user, the mobile application triggers abiometric information retrieval process. The specific process utilizedcan be selected by the mobile application by automatically querying thefunctionality of the end-user's mobile terminal.

Biometric Data Retrieved from Built-in Fingerprint Scanner:

A fingerprint scanner is a stock element of modern iPhones, but othermobile OS-based devices (Android, Tizen, Windows, etc.), includingSamsung's Galaxy devices, may also provide fingerprint scanners. In someembodiments, the end-user is presented with a menu to touch thefingerprint scanner. The cellular device's operating system may use asecure and dedicated “data storage enclave” system, whereby the mobileapplication never accesses the actual biometric information because suchinformation is provided to the operating system upon the first boot-upof the device during the standard configuration menu. However, arandomly generated signature is provided to the mobile application bythe operating system. Such a randomly generated signature may be linkedto the actual fingerprint data securely stored in the dedicated “datastorage enclave”.

Biometric Data Retrieved from Built-in Camera:

Most mobile terminals today include built-in cameras, and thus exampleterminals that could utilize biometric data retrieved from a built-incamera could utilize by an iPhone, or nearly any other OS-based devices(Android, Tizen, Windows, etc.) as well. In these embodiments, theend-user is presented a menu to take various pictures of their face. Theparticular pictures taken could consist of a specific pattern only knownby the end-user. A “liveness” detection is performed during the captureof the facial images. The facial images can then be sent to a remoteserver (i.e., a managing entity), which would require access to a Wi-Ficonnection, because cellular connectivity is not yet available from thevirtual eUICC. Otherwise, another physical eUICC already configured toaccess a bootstrap cellular network may be used. In all cases, theremote server may securely store the facial images and returns asignature to the mobile application. In turn, this signature can then belinked to the facial images' pattern.

In example embodiments, after the biometric capture process, theend-user may be requested to provide a unique ID (e.g., an emailaddress) and a secret password. The end-user may also then be asked toprovide a unique government identification number. In India, forinstance, such government identification can be the Aadhaar (a 12-digitindividual identification number issued by the Unique IdentificationAuthority of India (UIAI) on behalf of the Government of India). Thegovernment ID may be used by a managing entity as a reference that maybe checked against a third party database.

It should be understood that the term managing entity, as used herein,refers to an off-device, external server, that may generally communicatewith the virtual eUICC through the mobile application. For instance, insome embodiments the managing entity may comprise an MNOHUB server. Themanaging entity acts as the issuer of the virtual eUICC, and hence hasthe proper keys to remotely manage the virtual eUICC.

The virtual eUICC may then be activated and will only be usable,throughout its lifespan, by the end-user whose biometric signature wascaptured. The activation requires retrieving, by the JCRE of the virtualeUICC, additional configuration parameters such as a virtual eUICC ID, adevice ID (e.g. IMEI), a user ID (e.g. email), a password (e.g.alphanumerical text) and biometric information (e.g. signatures ofbiometric data). FIG. 8 illustrates a high-level view of a virtual eUICCof this nature. In contrast to other similar example views of a virtualeUICC, in the example embodiments utilizing biometrics-based security,FIG. 8 illustrates the virtual eUICC is stored in a biometric-protectedfile system. In turn, FIG. 9 illustrates the internal softwarearchitecture of a virtual eUICC of this nature.

The Cellular Modem Application may further have a PGP-like key loadedinto it upon a firmware upgrade or during initial installation. Thevirtual eUICC is also initialized with its own PGP-like key. TheCellular Modem's PGP-like key can be used by the virtual eUICC totransmit data to the Cellular Modem Processor. Similarly, the virtualeUICC's PGP-like key may be used by the Application Processor to senddata to eUICC. To add a layer of pseudo-tamper resistance, the virtualeUICC software may be signed with the managing entity's privatecertificate.

The managing entity shall activate the virtual eUICC before it can beused. It shall also perform a full integrity check during a newmanagement operation such as installing a new digital SIM card. Theactivation mechanism of the virtual eUICC is based on amutual-authentication session between the JCRE and the managing entity,of the nature described previously above. To prevent cloning, themanaging entity may retrieve the IMEI of the host device in advance andstore it in its databases of virtual eUICCs' hosts. The managing entitymay then generate a random virtual eUICC ID (EID) and link it to thesaid IMEI. The serial number of the cellular modem is also retrieved.These parameters are fed into the JCRE at first boot-up and activation.As previously described, the biometric signature may also be included inthese parameters.

The manner by which the JCRE will work with the JCVM to secure the datastorage and runtime execution of the virtual eUICC will now bedescribed.

On boot-up, the JCRE passes, to the JCVM, the encryption/decryption keysof the Filesystem (FS), which will hereinafter be referred to as JCVMkeys. This step is required for every boot-up activity of the device. Aslong the JCVM FS memory size is maintained at a reasonably small size(512 KB-1024 KB), the encryption/decryption time will not impact theperformance of the system, and thus will preserve a seamlessuser-experience.

The FS may be one single relatively small file encrypted with thegenerated symmetric keys. In this embodiment, the keys may be based onthe 256-bit Advanced Encryption Standard (AES). In other words, aninstance of the virtual machine has its own dedicated storage andintegrity keys. For an attacker to attempt cloning a plurality of JCVMsdeployed in various cellular devices, the computing resources becomevery expensive as the encryption system is purposefully decentralized.

Every digital SIM downloaded to the virtual eUICC is signed with anintegrity check (checksum). Upon loading of the digital SIM, thechecksum is validated to ensure data integrity.

To avoid a brute force attack, the virtual eUICC may be configured sothat the virtual machine locks itself until the managing entity unlocksit. The entry point of JCRE is protected from denial-of-service attacksby introducing a retry mechanism counter which, after a fixed amount ofsuccessive failed authentications, will temporarily deactivate theability to retry until the managing entity reactivates it again. Suchreactivation might require the end-user to provide their credentialsincluding going through a biometric authentication process.

A multi-factor authentication scheme may also be utilized. The factorsrelied upon in ne such scheme may include who the user is (biometricsignature), what they know (a username, password and a government issuedID), and what they have (the device). The JCVM keys are thus generatedusing the following formula: JCVM Keys=f (Biometric signature, Username,Password, Government ID, Device ID, Virtual eUICC ID, cellular modem ID)

Whenever the end-user changes the password, the JCVM updates its keysand reinitializes the filesystem before restoring it. The mobileapplication can be programmed to periodically force the user to changethe password to help mitigate potential hacking issues.

Three constraints are utilized to create a secure container for thevirtual eUICC:

1. Secure Storage

2. Tamper-Resistance

3. Secure Bytecodes

Secure Storage:

One example secure storage is created by serializing C++ objects (MasterFile, Dedicated File, Element Files, Java Card Applets) as defined inthe JCVM into one file (FS) encrypted with randomly generated AES256-bit keys. The virtual FS is an encrypted filesystem running in RAMusing AES 256-bit keys with an initialization vector. The Physical FS isan encrypted filesystem using an external/internal storage systemavailable to the application processor. It shall also employ a 256-bitAES encryption of files. All applet objects and data are serialized intothe FS.

Tamper Resistance:

The tamper-resistance nature of the virtual eUICC is introduced to makeit harder for an attacker to modify it. A passive measure such asobfuscation to make reverse engineering difficult can also be employedin some embodiments. To minimize the footprint of the software andmitigate its potential performance impact, an anti-tampering embodimentis employed whereby integrity checks are performed by either the mobileapplication or the managing entity.

Secure Bytecodes:

The JCVM bytecode interpreter runs secure bytecodes. This requirespre-processing applets before they are remotely stored into the virtualeUICC. The pre-processing mechanism is generally performed at the serverlevel by the managing entity. An automated function allows thegeneration of encrypted bytecodes, which are then remotely transmitted(via the mobile application) to the virtual eUICC during theinstallation of a Java Card applet inside a digital SIM. To be able tointerpret these bytecodes, the JCVM key is generated upon the boot-upinformation provided to the JCRE.

Turning now to FIG. 10, an illustration is provided of the high-leveloverview of an example JCVM setup using biometric information providedby the end-user. The end-user captures biometric information using theend-user's mobile station, and this biometric information is relayed tothe mobile application.

Turning now to FIG. 11, an example flowchart illustrates JCVM filesystem initialization. The operations described in FIG. 11 may, forinstance, be performed by the connected device (e.g., a mobile station).In operation 1102, the user enrolls through a mobile application on theuser's connected device. This enrollment may be part of a registrationprocess by the end-user, and may trigger a biometric informationretrieval process. In operation 1104, the connected device determineswhether a file system currently exists or not. In an instance in which afile system does exist, in operation 1106, the connected device uses theuser's retrieved biometric information to load (and decrypt) thephysical file system, and the procedure advances to operation 1112, inwhich the physical file system is used via a virtual file system.Alternatively, in an instance in which a file system does not exist, theprocedure advances to operation 1108, in which the connected devicedetermines whether biometric information is available. If not, then theprocedure returns to operation 1102. If so, however, then the procedureadvances to operation 1110, in which the connected terminal creates andloads a physical file system using the biometric information.Subsequently, the procedure advances to operation 1112, in which thephysical file system is used via a virtual file system.

Turning now to FIG. 12, a sequence diagram is provided illustrating anexemplary process flow for a JCVM during data loading. In operation1202, the mobile application transmits retrieved biometric informationto the JCRE for the end-user to login. In operation 1204, the JCREtransmits a FS load request to the JCVM. In operation 1206, the JCVMtransmits the biometric information to a virtual FS. Finally, inoperation 1208, the biometric information is used to decrypt thephysical FS. In response, the physical FS transmits a message back tothe virtual FS indicating that decrypting has occurred in operation1210. In operation 1212, the virtual FS relays the message to the JCVM.In operation 1214, the JCVM then transmits a message to the JCRE.Finally, in operation 1216, an acknowledgment is sent from the JCRE tothe mobile application indicating that the biometric data has beenloaded.

It should be understood that while the operations illustrated in FIG. 12depict an example sequence of operations that may occur in someembodiments, there may be slight variations based on the design of theimplementing system. For instance, when the mobile device utilizes aTEE, operations performed by the JCRE, JCVM and virtual FS may becondensed such that the biometric information may be transmitted to theTEE, which then transmits the biometric information directly to thephysical FS stored within the TEE. The responsive transmissions may besimilarly streamlined.

Turning to FIG. 13, a sequence diagram is provided illustrating anexemplary process flow for a JCVM during data update. In operation 1302,a radio interface layer transmits a solicited command to the JCRE. Inoperation 1304, the JCRE handles the solicited command and dispatches itto the JCVM. In operation 1306, the JCVM processes the command. Next, inoperation 1308, the JCVM transmits an instruction to update the virtualfile system based on the processing of the command. Finally, inoperation 1310, an instruction is transmitted to update the physicalfile system accordingly.

As with the operations illustrated in FIG. 12, the operations depictedin FIG. 13 may vary based on the design of the implementing system. Forinstance, when the mobile device utilizes a TEE, operations performed bythe JCRE, JCVM and virtual FS may be condensed such that commands may betransmitted to the TEE, which then transmits the commands directly tothe physical FS stored within the TEE, and responses may be similarlystreamlined.

By utilizing combinations of these additional security measures, avirtualized eUICC can be stored by an application processor in additionto or even in the absence of a TEE. In this fashion, a method may beimplemented using biometric information to securely configure a JavaCard virtual machine operating on a mobile device's applicationprocessor.

Many modifications and other embodiments of the inventions set forthherein will come to mind to one skilled in the art to which theseinventions pertain having the benefit of the teachings presented in theforegoing descriptions and the associated drawings. Therefore, it is tobe understood that the inventions are not to be limited to the specificembodiments disclosed and that modifications and other embodiments areintended to be included within the scope of the appended claims.Moreover, although the foregoing descriptions and the associateddrawings describe example embodiments in the context of certain examplecombinations of elements and/or functions, it should be appreciated thatdifferent combinations of elements and/or functions may be provided byalternative embodiments without departing from the scope of the appendedclaims. In this regard, for example, different combinations of elementsand/or functions than those explicitly described above are alsocontemplated as may be set forth in some of the appended claims.Although specific terms are employed herein, they are used in a genericand descriptive sense only and not for purposes of limitation.

What is claimed is:
 1. A mobile station comprising: a modem and at leastone antenna configured to communicate with a plurality of cellularnetworks; and one or more memories storing computer-executableinstructions that, when executed, configure a mobile application runningon a processor that facilitates communication between the modem and avirtual reprogrammable universal integrated circuit chip (eUICC) that isnot physically or electrically connected to the modem, and causeconfiguration of a virtual machine to host the virtual eUICC, whereincausing configuration of the virtual machine includes causing:initialization of a data storage module of the virtual machine withuser-provided biometric information as a parameter to create encryption,decryption, and signature keys; loading of the data storage module uponeach device boot-up; encryption and decryption of data associated withthe virtual machine using the encryption and decryption keys; digitalsigning of data associated with the virtual machine using the signaturekey; and storage of the digitally signed data in a storage memory,wherein security of the virtual eUICC is maintained using theuser-provided biometric information and without reliance on a trustedexecution environment of the mobile station.
 2. The mobile station ofclaim 1, further comprising: a biometric information capturing element,wherein the user-provided biometric information is captured by thebiometric information capturing element.
 3. The mobile station of claim2, wherein the biometric information capturing element comprises abuilt-in fingerprint scanner or camera device.
 4. The mobile station ofclaim 1, wherein the digitally signed data comprises at least one of aGSM file system, one or more Java Card applications, or one or morenetwork authentication keys, and wherein the digitally signed data isformatted into data blocks.
 5. The mobile station of claim 4, whereinthe storage memory maintains the data blocks in a journaling filesystem.
 6. The mobile station of claim 1, wherein digitally signing thedata comprises signing checksums or hashes of the data with thesignature key.
 7. The mobile station of claim 1, wherein digitallysigning the data comprises: calculating redundancy check values for thedata; and signing the redundancy check values with random keys.
 8. Amethod for communicating in multi-active mode with a plurality ofcellular networks, the method comprising: providing a mobile devicehaving a modem and at least one antenna configured to communicate with aplurality of cellular networks; configuring a mobile application runningon a processor to facilitate communication between the modem and avirtual reprogrammable universal integrated circuit chip (eUICC) that isnot physically or electrically connected to the modem; and causingconfiguration of a virtual machine to host the virtual eUICC, whereincausing configuration of the virtual machine includes causing:initialization of a data storage module of the virtual machine withuser-provided biometric information as a parameter to create encryption,decryption, and signature keys; loading of the data storage module uponeach device boot-up; encryption and decryption of data associated withthe virtual machine using the encryption and decryption keys; digitalsigning of data associated with the virtual machine using the signaturekey; and storage of the digitally signed data in a storage memory,wherein security of the virtual eUICC is maintained using theuser-provided biometric information and without reliance on a trustedexecution environment of a mobile station.
 9. The method of claim 8,wherein the mobile device further includes a biometric informationcapturing element, and wherein the method includes capturing theuser-provided biometric information using the biometric informationcapturing element.
 10. The method of claim 8, wherein the digitallysigned data comprises at least one of a GSM file system, one or moreJava Card applications, or one or more network authentication keys, andwherein the digitally signed data is formatted into data blocks.
 11. Themethod of claim 10, further comprising: maintaining the data blocks in ajournaling file system in the storage memory.
 12. The method of claim 8,wherein digitally signing the data comprises signing checksums or hashesof the data with the signature key.
 13. The method of claim 8, whereindigitally signing the data comprises: calculating redundancy checkvalues for the data; and signing the redundancy check values with randomkeys.
 14. One or more non-transitory computer-readable media storingcomputer executable instructions that, when executed by a mobile stationhaving a modem and at least one antenna configured to communicate with aplurality of cellular networks, cause the mobile station to: configure amobile application running on a processor to facilitate communicationbetween the modem and a virtual reprogrammable universal integratedcircuit chip (eUICC) that is not physically or electrically connected tothe modem; and cause configuration of a virtual machine to host thevirtual eUICC by causing: initialization of a data storage module of thevirtual machine with user-provided biometric information as a parameterto create encryption, decryption, and signature keys; loading of thedata storage module upon each device boot-up; encryption and decryptionof data associated with the virtual machine using the encryption anddecryption keys; digital signing of data associated with the virtualmachine using the signature key; and storage of the digitally signeddata in a storage memory, wherein security of the virtual eUICC ismaintained using the user-provided biometric information and withoutreliance on a trusted execution environment of the mobile station. 15.The one or more non-transitory computer-readable media of claim 14,wherein the mobile station further includes a biometric informationcapturing element, and wherein the user-provided biometric informationis captured by the biometric information capturing element.
 16. The oneor more non-transitory computer-readable media of claim 15, wherein thebiometric information capturing element comprises a built-in fingerprintscanner or camera device.
 17. The one or more non-transitorycomputer-readable media of claim 14, wherein the digitally signed datacomprises at least one of a GSM file system, one or more Java Cardapplications, or one or more network authentication keys, and whereinthe digitally signed data is formatted into data blocks.
 18. The one ormore non-transitory computer-readable media of claim 14, whereindigitally signing the data comprises signing checksums or hashes of thedata with the signature key.
 19. The one or more non-transitorycomputer-readable media of claim 14, wherein digitally signing the datacomprises: calculating redundancy check values for the data; and signingthe redundancy check values with random keys.
 20. The one or morenon-transitory computer-readable media of claim 17, wherein the datablocks are maintained in a journaling file system in the storage memory.